DNSSEC error resolving gpo.gov ?

Tue Apr 4 12:55:51 UTC 2023

Also it does no harm.  SHA1 DS are still secure.  If there are both SHA1 and SHA256 DS records present the SHA1 records are ignored by SHA256 capable validators and no you can’t just remove the SHA256 DS record and have the DS RRset validate.

> On 4 Apr 2023, at 20:27, Petr Menšík <pemensik at redhat.com> wrote:
> 
> No, unfortunately there is no way to disable it. It just creates both digests and there is no way to disable creation of SHA-1 in bind 9.11. dnssec-dsfromkey -2 can be used to output only SHA256 digest.
> 
> I think automated process using dsset files does not offer switches to not generate them. With manual signing process it should be possible to delete SHA1 digest from dsset file before signing it with dnssec-signzone. I doubt it would work smoothly with inline signing directly from named. At least not in our RHEL8 version.
> 
> Petr
> 
> On 24. 03. 23 14:35, John W. Blue via bind-users wrote:
>> Petr,
>> 
>> Thanks for sharing that tidbit of info.  Off the top of your head do you know if that can be disabled?
>> 
>> John
>> 
>> -----Original Message-----
>> From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Petr Menšík
>> Sent: Friday, March 24, 2023 8:32 AM
>> To: bind-users at lists.isc.org
>> Subject: Re: DNSSEC error resolving gpo.gov ?
>> 
>> That is done also by bind 9.11, not only infoblox. It creates both digests on common operations.
>> 
>> On 3/14/23 16:23, John W. Blue via bind-users wrote:
>>> Keep in mind that SHA1 may not have been included by choice.
>>> 
>>> If gpo.gov is using Infoblox there is a, what I like to call, Infoblox-ism in play regarding DNSSEC where even if you choose RSA256 or RSA512 or whatever it will create a SHA1.
>>> 
>>> John
>>> 
>>> -----Original Message-----
>>> From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf
>>> Of Stephane Bortzmeyer
>>> Sent: Tuesday, March 14, 2023 10:17 AM
>>> To: Alexandra Yang
>>> Cc: bind-users at lists.isc.org
>>> Subject: Re: DNSSEC error resolving gpo.gov ?
>>> 
>>> On Tue, Mar 14, 2023 at 11:08:28AM -0400,  Alexandra Yang <drayales at gmail.com> wrote  a message of 154 lines which said:
>>> 
>>>> I wonder if anyone can shed some light on this, our nameserver(BIND
>>>> 9.16.37 )keeps giving error on resolving gpo.gov and ns3.gpo.gov,
>>>> here are the
>>>> errors:
>>> "DS record for zone gpo.gov with keytag 18496 was created by digest algorithm 1 (SHA-1) which is deprecated."
>>> https://zonemaster.fr/en/result/9161c8485223705c
>>> 
>>> --
>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>>> from this list
>>> 
>>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>>> 
>>> 
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>> --
>> Petr Menšík
>> Software Engineer, RHEL
>> Red Hat, https://www.redhat.com/
>> PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
>> 
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>> 
>> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>> 
>> 
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> -- 
> Petr Menšík
> Software Engineer, RHEL
> Red Hat, http://www.redhat.com/
> PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org